Cyber espionage represents “the greatest transfer of wealth in history, ” the former NSA director, Gen. Keith Alexander stated back in 2012. NSA’s current director, Adm. Michael Rogers, remains more concerned about trustworthiness of the data used by the military and the private sector entities for making decisions.
Adm. Rogers is not alone in ringing this alarm bell. FBI Director James Comey addressed an audience at Georgetown University’s cyber security conference earlier this spring, noting “(i)ncreasingly, we’re worried not just about the loss of data but the potential manipulation of data, the corruption of data.” The Director of National Intelligence James Clapper explained this concern in more detail, stating, “(f)uture cyber operations will almost certainly include an increased emphasis on changing or manipulating data to compromise its integrity (i.e., accuracy and reliability) to affect decision making, reduce trust in systems, or cause adverse physical effects.”
We term the malicious manipulation of data keeping top U.S. security officials awake at night as information sabotage. Using sabotage against an adversary to advance one’s political agenda is an age-old phenomenon. Sabotage has been used in fierce industrial competition, direct action activism, terrorism, popular revolts, special operations—and of course, war.
In our view, information sabotage plays a role similar to its more traditional cousin. Our definition for information sabotage is: a deliberate and hostile action that is aimed at target’s information sources, flows, and assets with an intention of having an effect on the target through manipulation of information and its availability together with the pace that the information comes available.
In other words, information sabotage can hinder or halt a targeted entity’s operations, as critical information has been rendered untrustworthy, unavailable, or otherwise incomprehensible.
In practice, the information sabotage takes various forms. Saboteurs may:
Deny or degrade information. It’s in the attacker’s best interest to deny the target from understanding that it needs certain information to successfully conduct its mission. If this isn’t an option, then the target can be denied the information it needs. Information sources can also be poisoned to include deceiving or misleading information. Valid sources can also be hidden among an avalanche of useless imposter information, concealed to appear as nonsense, or transformed into something unrecognizable.
Manipulate the flow of information in and out of the organization. If the target has successfully tapped into proper sources, information flows themselves can be manipulated. In addition to content manipulation, the pace of information flows can be slowed down or sped up to have an effect.
Manipulate information assets. As the content from information flow gets stored into data repositories, it turns into organization’s internal information assets. These assets and information in them can be manipulated to impact the processes and operations relying on that information, and to challenge the trust in the organization’s information assets and their integrity.
Manipulate internal information flows. Information can also be manipulated when it is shared from the information repository to end users, or to processes that rely on it. Similar manipulation can be conducted during the data maintenance or updates.
Manipulate or destroy the target’s data archives. This ensures the target organization does not have any reliable and trustworthy data at all where it could return in order to regain control of its information environment.
While all the above may sound very generic and theoretical, we have witnessed information sabotage in action. Some of these operations have had direct cause-effect impact mechanisms, while in some cases information sabotage may take place in a long-term and the causal mechanisms become more complex. These include:
- As an example of potential impacts of a poisoned information source, in 2013 a hacked AP Twitter account spewed misinformation, which caused a major–though temporary–stock market reaction. The temporary Dow plunge of more than 140 points was reportedly due to the automated electronic trading algorithms that reacted to faked news headlines coming from a usually trusted source.
- The Stuxnet virus is a classic example of manipulating internal information flows to mislead human operators. Falsified sensor information deceived Iranian process operators, while in reality the centrifuges were operated with set of instructions aimed at wearing them down.
- Several cases already exist, where manipulation of information assets and misusing the existing processes in the banking sector have led to dramatic financial losses. A recent heist of this kind was the Bangladesh central bank’s information manipulation case, where $81 million was lost due to added fraudulent data entries. Bangladesh was spared further losses because the thieves accidentally made a typo—which prevented up to $1 billion being stolen.
- As a more speculative case concerning manipulating information assets to erode organization’s trust in them, there was some public commentary on what the outcomes would have been, if the last summer’s OPM case would have been an information sabotage case instead of another case of Chinese cyber espionage.
While there is no simple “silver bullet” solution to fight information sabotage, a range of protective actions are available. These include:
- An organization should conduct an analysis to identify its mission-critical information assets. This will help the organization focus their protective efforts on mission-critical information sources, flows, and assets instead of embarking on fruitless mission of trying to protect everything. Completing this first step is fundamental for the organization to build any resilience on information sabotage attacks—they must be able to tell if a specific piece of information has suspicious characteristics hinting that it has been subtly manipulated, although it “seems correct.”
- The information supply chain that connects the organization to the key outside sources needs to be hardened. The sources need to be selected carefully to ensure their validity and trustworthiness at all times. Flows need to be protected from tampering to secure the integrity of information in transit.
- An organization needs procedures and technology to maintain situational awareness of its information assets and its core operations’ operating status. The idea is to understand the appearance or status of critical information assets and flows when the organization and its core operations are functioning properly. It is also necessary to identify the people and processes that have the right to make changes to mission-critical information assets. This pinpoints any unwanted and unauthorized changes to information assets or flows thus helps preventing perpetrators from reaching their goals.
While it can be damaging for an organization to lose their information to competitors or to prying eyes of a hostile nation-state, it can be far more costly to lose one’s trust in the information assets that enable the organization to fulfill its mission.
The almost limitless possibilities that information sabotage offers to criminals, terrorists as well as nation states underscores the very real threat. Companies and nations alike must be ready for this next evolution of malicious behavior in cyberspace.
Jani Antikainen is a serial entrepreneur, venture capitalist, and the CEO of Finland-based Sparta Consulting. His latest start-up, Sparta Consulting, focuses on protecting organizations’ critical information assets from malicious manipulation.
Pasi Eronen is the lead researcher for FDD’s Russia project, where his work focuses on economic coercion, hybrid threats, and their nexus with cyber and information warfare. Eronen also serves on the advisory board of Sparta Consulting, a Finnish cyber security start-up. Twitter: @pasieronen
Photo: NARA, 1942-1943